b' FEDERAL ELECTION COMMISSION \n\n\n  OFFICE OF INSPECTOR GENERAL \n\n\n\n\n\n            FINAL REPORT \n\n\nAudit of the Federal Election Commission\xe2\x80\x99s\n\n  Fiscal Year 2012 Financial Statements \n\n\n\n\n\n             November 2012 \n\n\n         ASSIGNMENT No. OIG-12-03 \n\n\x0c                  FEDERAL ELECTION COMMISSION\n                  WASHINGTON, D.C. 20463\n                  Office of Inspector General\n\n\n\n\nMEMORANDUM\n\nTO:    \t      The Commission\n\nFROM:         I\t nspector General\n\nSUBJECT: \t    Audit of the Federal Election Commission\xe2\x80\x99s Fiscal Year 2012 Financial\n              Statements\n\nDATE:\t         November 14, 2012\n\n\nPursuant to the Chief Financial Officers Act of 1990, commonly referred to as the \xe2\x80\x9cCFO\nAct,\xe2\x80\x9d as amended, this letter transmits the Independent Auditor\xe2\x80\x99s Report issued by Leon\nSnead & Company (LSC), P.C. for the fiscal year ending September 30, 2012. The audit\nwas performed under a contract with, and monitored by, the Office of Inspector General\n(OIG), in accordance with auditing standards generally accepted in the United States of\nAmerica; the standards applicable to financial audits contained in Government Auditing\nStandards, issued by the Comptroller General of the United States; and applicable\nprovisions of Office of Management and Budget (OMB) Bulletin No. 07-04, Audit\nRequirements for Federal Financial Statements, as amended.\n\nOpinion on the Financial Statements\n\nLSC audited the balance sheet of the Federal Election Commission (FEC) as of\nSeptember 30, 2012, and the related statements of net cost, changes in net position,\nbudgetary resources, and custodial activity (the financial statements) for the year then\nended. The objective of the audit was to express an opinion on the fair presentation of\nthose financial statements. In connection with the audit, LSC also considered the FEC\xe2\x80\x99s\ninternal control over financial reporting and tested the FEC\xe2\x80\x99s compliance with certain\nprovisions of applicable laws and regulations that could have a direct and material effect\non its financial statements. The financial statements of the FEC as of September 30,\n2011, were also audited by LSC whose report dated November 14, 2011, expressed an\nunqualified opinion on those statements.\n\nIn LSC\xe2\x80\x99s opinion, the financial statements present fairly, in all material respects, the\nfinancial position, net cost, changes in net position, budgetary resources, and custodial\nactivity of the FEC as of, and for the year ending September 30, 2012, in conformity with\naccounting principles generally accepted in the United States of America.\n\x0cReport on Internal Control\n\nIn planning and performing the audit of the financial statements of the FEC, LSC\nconsidered the FEC\xe2\x80\x99s internal control over financial reporting (internal control) as a basis\nfor designing auditing procedures for the purpose of expressing their opinion on the\nfinancial statements, but not for the purpose of expressing an opinion on the effectiveness\nof the FEC\xe2\x80\x99s internal control. Accordingly, LSC did not express an opinion on the\neffectiveness of the FEC\xe2\x80\x99s internal control.\n\nBecause of inherent limitations in internal controls, including the possibility of\nmanagement override of controls; misstatements, losses, or noncompliance may\nnevertheless occur and not be detected. According to the American Institute of Certified\nPublic Accountants:\n   \xe2\x80\xa2\t A control deficiency exists when the design or operation of a control does not\n       allow management or employees, in the normal course of performing their\n       assigned functions, to prevent or detect misstatements on a timely basis.\n   \xe2\x80\xa2\t A significant deficiency is a control deficiency, or combination of control\n       deficiencies, that adversely affects the entity\xe2\x80\x99s ability to initiate, authorize, record,\n       process, or report financial data reliably in accordance with generally accepted\n       accounting principles such that there is a more than remote likelihood that a\n       misstatement of the entity\xe2\x80\x99s financial statements that is more than inconsequential\n       will not be prevented or detected by the entity\xe2\x80\x99s internal control.\n   \xe2\x80\xa2\t A material weakness is a significant deficiency, or combination of significant\n       deficiencies, that results in more than a remote likelihood that a material\n       misstatement of the financial statements will not be prevented or detected by the\n       entity\xe2\x80\x99s internal control.\n\nLSC\xe2\x80\x99s consideration of internal control was for the limited purpose described in the first\nparagraph in this section and would not necessarily identify all deficiencies in internal\ncontrol that might be significant deficiencies or material weaknesses. LSC did not\nidentify any deficiencies in internal control that LSC would consider to be material\nweaknesses, as defined above. However, LSC did identify a significant deficiency in\ninternal controls related to Information Technology security.\n\nReport on Compliance with Laws and Regulations\n\nFEC management is responsible for complying with laws and regulations applicable to\nthe agency. To obtain reasonable assurance about whether FEC\xe2\x80\x99s financial statements\nare free of material misstatements, LSC performed tests of compliance with certain\nprovisions of laws and regulations, noncompliance which could have a direct and\nmaterial effect on the determination of financial statement amounts, and certain other\nlaws and regulations specified in OMB Bulletin No. 07-04, as amended. LSC did not test\ncompliance with all laws and regulations applicable to FEC.\n\nThe results of LSC\xe2\x80\x99s tests of compliance with laws and regulations described in the audit\nreport disclosed no instance of noncompliance with laws and regulations that are required\nto be reported under U.S. generally accepted government auditing standards or OMB\nguidance.\n                                               2\n\n\x0cAudit Follow-up\n\nThe independent auditor\xe2\x80\x99s report contains recommendations to address deficiencies found\nby the auditors. Management was provided a draft copy of the audit report for comment\nand generally concurred with some of the findings and recommendations. In accordance\nwith OMB Circular No. A-50, Audit Follow-up, revised, the FEC is to prepare a\ncorrective action plan that will set forth the specific action planned to implement the\nagreed upon recommendations and the schedule for implementation. The Commission\nhas designated the Chief Financial Officer to be the audit follow-up official for the\nfinancial statement audit.\n\nOIG Evaluation of Leon Snead & Company\xe2\x80\x99s Audit Performance\n\nWe reviewed LSC\xe2\x80\x99s report and related documentation and made necessary inquiries of its\nrepresentatives. Our review was not intended to enable the OIG to express, and we do\nnot express an opinion on the FEC\xe2\x80\x99s financial statements; nor do we provide conclusions\nabout the effectiveness of internal control or conclusions on FEC\xe2\x80\x99s compliance with laws\nand regulations. However, the OIG review disclosed no instances where LSC did not\ncomply, in all material respects, with Government Auditing Standards.\n\nWe appreciate the courtesies and cooperation extended to LSC and the OIG staff during\nthe audit. If you should have any questions concerning this report, please contact my\noffice on (202) 694-1015.\n\n\n\n\n                                                    Lynne A. McFarland\n                                                    Inspector General\n\nAttachment\n\nCc: \t   Alec Palmer, Staff Director/Chief Information Officer\n        Judy Berning, Acting Chief Financial Officer\n        Anthony Herman, General Counsel\n\n\n\n\n                                            3\n\n\x0c    Federal Election Commission\n\n      Audit of Financial Statements\n\n\n       As of and for the Years Ended\n\n       September 30, 2012 and 2011\n\n\n\n\n                   Submitted By\n\n\n            Leon Snead & Company, P.C.\n\nCertified Public Accountants & Management Consultants\n\x0c                                 TABLE OF CONTENTS\n\n\n\n\n                                                                                                                    Page\n\n\nIndependent Auditor\xe2\x80\x99s Report..............................................................................................1\n\n\nAttachment 1, Chart on FEC\xe2\x80\x99s Corrective Actions ...........................................................29\n\n\nAttachment 2, Status of Prior Year Reportable Conditions...............................................31\n\n\nAgency Response to Report\n\n\n\n\n\n                                                             i\n\x0cThe Commission, Federal Election Commission\nInspector General, Federal Election Commission\n\n                            Independent Auditor\xe2\x80\x99s Report\n\nWe have audited the balance sheets of the Federal Election Commission (FEC) as of\nSeptember 30, 2012 and 2011, and the related statements of net cost, changes in net\nposition, budgetary resources, and custodial activity (the financial statements) for the\nyears then ended. The objective of our audit was to express an opinion on the fair\npresentation of those financial statements. In connection with our audit, we also\nconsidered the FEC\xe2\x80\x99s internal control over financial reporting and tested the FEC\xe2\x80\x99s\ncompliance with certain provisions of applicable laws and regulations that could have a\ndirect and material effect on its financial statements.\n\nSUMMARY\n\nAs stated in our opinion on the financial statements, we found that the FEC\xe2\x80\x99s financial\nstatements as of and for the years ended September 30, 2012 and 2011, are presented\nfairly, in all material respects, in conformity with accounting principles generally\naccepted in the United States of America.\n\nOur consideration of internal control would not necessarily disclose all deficiencies in\ninternal control over financial reporting that might be material weaknesses under\nstandards issued by the American Institute of Certified Public Accountants. However,\nour testing of internal control identified no material weaknesses in financial reporting.\nWe did note one significant deficiency related to internal controls for the FEC\xe2\x80\x99s agency-\nwide Information Technology (IT) security program that are discussed later in our report.\n\nThe results of our tests of compliance with certain provisions of laws and regulations\ndisclosed no instance of noncompliance that is required to be reported herein under\nGovernment Auditing Standards, issued by the Comptroller General of the United States\nand Office of Management and Budget (OMB) Bulletin No. 07-04, Audit Requirements\nfor Federal Financial Statements (as amended).\n\nThe following sections discuss in more detail our opinion on the FEC\xe2\x80\x99s financial\nstatements, our consideration of the FEC\xe2\x80\x99s internal control over financial reporting, our\ntests of the FEC\xe2\x80\x99s compliance with certain provisions of applicable laws and regulations,\nand management\xe2\x80\x99s and our responsibilities.\n\x0cOPINION ON THE FINANCIAL STATEMENTS\n\nWe have audited the accompanying balance sheets of the FEC as of September 30, 2012\nand 2011, and the related statements of net cost, changes in net position, budgetary\nresources and custodial activity for the years then ended.\n\nIn our opinion, the financial statements referred to above present fairly, in all material\nrespects, the financial position, net cost, changes in net position, budgetary resources and\ncustodial activity of the FEC as of and for the years ended September 30, 2012 and 2011,\nin conformity with accounting principles generally accepted in the United States of\nAmerica.\n\nAccounting principles generally accepted in the United States of America require that\nManagement\xe2\x80\x99s Discussion and Analysis be presented to supplement the basic financial\nstatements. Such information, although not a part of the basic financial statements, is\nrequired by the Federal Accounting Standards Advisory Board (FASAB) who considers\nit to be an essential part of financial reporting for placing the basic financial statements in\nan appropriate operational, economic, or historical context. We have applied certain\nlimited procedures to the required supplementary information in accordance with auditing\nstandards generally accepted in the United States of America, which consisted of\ninquiries of management about the methods of preparing the information and comparing\nthe information for consistency with management\xe2\x80\x99s responses to our inquiries, the basic\nfinancial statements, and other knowledge we obtained during our audit of the basic\nfinancial statements. We do not express an opinion or provide any assurance on the\ninformation because the limited procedures do not provide us with sufficient evidence to\nexpress an opinion or provide any assurance.\n\nRESPONSIBILITIES\n\nManagement Responsibilities\n\nManagement of the FEC is responsible for: (1) preparing the financial statements in\nconformity with generally accepted accounting principles; (2) establishing, maintaining,\nand assessing internal control to provide reasonable assurance that the broad control\nobjectives of the Federal Managers Financial Integrity Act (FMFIA) are met; and (3)\ncomplying with applicable laws and regulations. In fulfilling this responsibility,\nestimates and judgments by management are required to assess the expected benefits and\nrelated costs of internal control policies.\n\nAuditor Responsibilities\n\nOur responsibility is to express an opinion on the financial statements based on our audit.\nWe conducted our audit in accordance with auditing standards generally accepted in the\nUnited States of America; the standards applicable to financial audits contained in\nGovernment Auditing Standards, issued by the Comptroller General of the United States;\nand OMB Bulletin 07-04, Audit Requirements for Federal Financial Statements (as\n\n\n\nLeon Snead & Company, P.C.                       2\n\x0camended). Those standards require that we plan and perform the audit to obtain\nreasonable assurance about whether the financial statements are free of material\nmisstatement.\n\nAn audit includes (1) examining, on a test basis, evidence supporting the amounts and\ndisclosures in the financial statements; (2) assessing the accounting principles used and\nsignificant estimates made by management, as well as evaluating the overall financial\nstatement presentation. We believe that our audit provides a reasonable basis for our\nopinion.\n\nIn planning and performing our audit, we considered the FEC\xe2\x80\x99s internal control over\nfinancial reporting by obtaining an understanding of the agency\xe2\x80\x99s internal control,\ndetermining whether internal controls had been placed in operation, assessing control\nrisk, and performing tests of controls in order to determine our auditing procedures for\nthe purpose of expressing our opinion on the financial statements.\n\nWe limited our internal control testing to those controls necessary to achieve the\nobjectives described in OMB Bulletin 07-04 (as amended) and Government Auditing\nStandards. We did not test all internal controls relevant to operating objectives as\nbroadly defined by FMFIA. Our procedures were not designed to provide an opinion on\ninternal control over financial reporting. Consequently, we do not express an opinion\nthereon.\n\nAs part of obtaining reasonable assurance about whether the agency\xe2\x80\x99s financial\nstatements are free of material misstatement, we performed tests of its compliance with\ncertain provisions of laws, regulations, and significant provisions of contracts,\nnoncompliance with which could have a direct and material effect on the determination\nof financial statement amounts, and certain other laws and regulations specified in OMB\nBulletin 07-04, (as amended). We limited our tests of compliance to these provisions and\nwe did not test compliance with all laws and regulations applicable to the FEC.\nProviding an opinion on compliance with certain provisions of laws, regulations, and\nsignificant contract provisions was not an objective of our audit and, accordingly, we do\nnot express such an opinion.\n\nINTERNAL CONTROL OVER FINANCIAL REPORTING\n\nIn planning and performing our audit of the financial statements of the FEC as of and for\nthe years ended September 30, 2012 and 2011, in accordance with auditing standards\ngenerally accepted in the Unites States of America, we considered the FEC\xe2\x80\x99s internal\ncontrol over financial reporting (internal control) as a basis for designing our auditing\nprocedures for the purpose of expressing our opinion on the financial statements, but not\nfor the purpose of expressing an opinion on the effectiveness of the FEC\xe2\x80\x99s internal\ncontrol. Accordingly, we do not express an opinion on the effectiveness of the FEC\xe2\x80\x99s\ninternal control.\n\n\n\n\nLeon Snead & Company, P.C.                    3\n\x0cBecause of inherent limitations in internal controls, including the possibility of\nmanagement override of controls, misstatements, losses, or noncompliance may\nnevertheless occur and not be detected. A control deficiency exists when the design or\noperation of a control does not allow management or employees, in the normal course of\nperforming their assigned functions, to prevent or detect misstatements on a timely basis.\nA material weakness is a deficiency, or combination of deficiencies, in internal control,\nsuch that there is a reasonable possibility that a material misstatement of the financial\nstatements will not be prevented or detected and corrected on a timely basis. A\nsignificant deficiency is a deficiency, or a combination of deficiencies, in internal control\nthat is less severe than a material weakness, yet important enough to merit attention by\nthose charged with governance of the FEC.\n\nOur consideration of internal control was for the limited purpose described in the first\nparagraph in this section of the report and would not necessarily identify all deficiencies\nin internal control that might be deficiencies, significant deficiencies or material\nweaknesses. We did not identify any deficiencies in internal control that we consider to\nbe material weaknesses, as defined above. However, as discussed below, we identified a\ndeficiency in internal control that we consider to be a significant deficiency.\n\nFindings and Recommendations\n\nFEC\xe2\x80\x99s governance and management officials\xe2\x80\x99 decision to not fully adopt Information\nTechnology (IT) best practices increases risk to the agency\xe2\x80\x99s information and information\nsystems. Other federal agencies exempted from the Federal Information Security\nManagement Act (FISMA) 1 have adopted these best practices to ensure information and\ninformation systems are properly secured. The absence of FEC policies requiring the\nOffice of the Chief Information Officer (OCIO) personnel to perform and document a\nfact-based risk assessment when deciding not to adopt an IT security best practice\nrequirement increases risk to the agency\xe2\x80\x99s information and information systems. Without\nadopting and implementing National Institute of Science and Technology (NIST)\n1\n  The National Institute of Science and Technology (NIST) noted that the E-Government Act (Public Law\n107-347), passed by the 107th Congress and signed into law by President George W. Bush in December\n2002, recognized the importance of information security to the economic and national security interests of\nthe United States. \xe2\x80\x9cNIST employs a comprehensive public review process on every FISMA standard and\nguideline to ensure the security standards and guidelines are of the highest quality\xe2\x80\x94that is, technically\ncorrect and implementable. NIST actively solicits and encourages individuals and organizations in the\npublic and private sectors to provide feedback on the content of each of the FISMA publications. In most\ncases, the FISMA security publications go through three full public vetting cycles providing an opportunity\nfor individuals and organizations to actively participate in the development of the standards and guidelines.\nNIST also works closely with owners, operators, and administrators of information systems within NIST to\nobtain real-time feedback on the implementability of the specific safeguards and countermeasures (i.e.,\nsecurity controls) being proposed for federal information systems. Finally, NIST has an extensive outreach\nprogram that maintains close contact with security professionals at all levels to ensure important feedback\ncan be incorporated into future updates of the security standards and guidelines. The combination of an\nextensive public review process for standards and guideline development, the experience in prototyping\nand implementing the safeguards and countermeasures in the information systems owned and operated by\nNIST, and the aggressive outreach program that keeps NIST in close contact with its constituents, produces\nhigh-quality, widely accepted security standards and guidelines that are not only used by the federal\ngovernment, but are frequently adopted on a voluntary basis by many organizations in the private sector.\xe2\x80\x9d\n\n\n\nLeon Snead & Company, P.C.                              4\n\x0cminimum security controls, the FEC\xe2\x80\x99s computer network, data and information is at an\nincreased risk of loss, theft, manipulation, interruption of operations, and other adverse\nactions.\n\nBest practice guidance and/or FEC policies that provide guidance on issues discussed in\nthis finding include: OMB Circular A-130, Management of Federal Information\nResources (FIPS) Publication 200, Minimum Security Requirements for Federal\nInformation and Information Systems; Special Publication (SP) 800-53, Recommended\nSecurity Controls for Federal Systems and Organizations; SP 800-118, Guide to\nEnterprise Password; SP 800-34, Contingency Planning Guide for Federal Information\nSystems; OMB Bulletins; Department of Homeland Security directives; and FEC IT\nSecurity Policies 58.2.2, 58.2.4, and 58-4.3. In addition, Office of Management and\nBudget Circular A-50, Audit Follow-up, as revised, and FEC Directive 50, Audit Follow-\nup, provide guidance on the requirements for audit follow-up.\n\nThe issues we identified with FEC IT security controls are detailed below.\n\n       A. Full Adoption of NIST Best Practices Would Strengthen FEC\xe2\x80\x99s Information\n          and Information Systems\n\n           As we have reported since 2009, FEC, unlike other Federal agencies exempted\n           from FISMA compliance, has not fully adopted the minimum government-wide\n           IT security controls and techniques released by the NIST. FEC officials advised\n           that they follow NIST \xe2\x80\x9cbest practices\xe2\x80\x9d where applicable to their operations.\n           However, there are no FEC policies that guide when an analysis should be\n           performed in making a decision whether or not to implement required\n           government-wide security practices. In addition, we were advised that there is no\n           documentation retained to support such critical decisions that impact the security\n           of FEC\xe2\x80\x99s information and information systems. Tests of selected IT security\n           controls found numerous instances where applicable best practice controls were\n           not implemented by FEC, and we were unable to locate substantive analysis of the\n           risk to the agency of not adopting these minimum best practices. Controls tested\n           included: vulnerability scanning of the FEC\xe2\x80\x99s entire network; implementation of\n           minimum established password controls; configuration management; user access\n           controls; certification and accreditation controls; and implementation of one of the\n           President\xe2\x80\x99s national security initiatives, TIC (Trusted Internet Connections).\n\n           In prior audit reports, we recommended that FEC adopt the NIST IT security\n           controls established in FIPS 200 and SP 800-53, and other related FISMA\n           security documents. We also reported that the Government Accountability Office\n           (GAO), another Federal agency exempt from FISMA, had adopted the NIST\n           security requirements. GAO stated 2 that it \xe2\x80\x9cadheres to federal information\n           security governance, such as OMB and National Institute of Standards and\n           Technology guidance.\xe2\x80\x9d\n\n\n2\n    See GAO Performance and Accountability Report \xe2\x80\x93 2011, page 58.\n\n\n\nLeon Snead & Company, P.C.                                  5\n\x0c         The Inspector General\xe2\x80\x99s \xe2\x80\x9cStatement on the Federal Election Commission\xe2\x80\x99s\n         Management and Performance Challenges,\xe2\x80\x9d dated October 14, 2011, stated:\n\n             \xe2\x80\x9c\xe2\x80\xa6Since 2004, the OIG (Office of Inspector General) has reported, and\n             continues to believe that it is in the best interest of the agency to formally adopt\n             government-wide IT security standards to ensure the FEC has an effective\n             information security program. For several years, the OIG\xe2\x80\x99s auditors have\n             identified IT practices that are not aligned with the minimal best practice\n             standards that are followed by federal agencies government-wide. Lastly, the\n             agency has failed to adequately define the set of best practices used to secure\n             the FEC\xe2\x80\x99s information technology.\xe2\x80\x9d\n\n         FEC officials have indicated that the agency makes informed decisions when\n         deciding whether to adopt government-wide IT security requirements. As part of\n         our audit testing, we requested that OCIO officials provide us with FEC policy\n         guidance that requires a risk-based analysis of IT security requirements, and/or\n         documentation that would provide support for a decision to not adopt a\n         government-wide IT security requirement for the period 2010 to present. We also\n         requested that FEC provide us with any documentation that would support the\n         decision to not adopt two key government-wide IT security requirements, the\n         Trusted Internet Connections (TIC) 3 which has been a requirement since 2007,\n         and Federal Acquisition Regulations 4(FAR) that mandate that FISMA security\n         requirements be included in IT service and related contracts. OCIO officials\n         advised us that FEC does not have a procedure that requires such an analysis, and\n         there was no documentation of any analysis identifying the risks of not adopting\n         these two key security requirements.\n\n         An illustration of the importance of FEC implementing a policy requirement to\n         perform a risk-based analysis when deciding not to adopt a government-wide\n         security requirement, and to document this decision with the approval of the CIO,\n         at a minimum, is the decision of FEC officials to not implement the TIC.\n\n         TIC was introduced in OMB Memorandum M-08-05, dated November 20, 2007.\n         The initiative was described in the memorandum as an effort to develop "a\n         common [network] solution for the federal government" that would reduce the\n\n3\n  TIC was introduced in OMB Memorandum M-08-05, Implementation of Trusted Internet Connections (TIC), dated\nNovember 20, 2007, and required that agencies develop "a common solution for the federal government" that would\nreduce the number of external Internet connections for the entire government to 50. National Security Presidential\nDirective 54/Homeland Security Presidential Directive 23, Cyber Security and Monitoring, (NSPD-54 and HSPD-23)\nissued in January 2008 included TIC as Initiative #1, Manage the Federal Enterprise Network as a single network\nenterprise with Trusted Internet Connections. The Trusted Internet Connections (TIC) initiative, headed by the Office\nof Management and Budget and the Department of Homeland Security, covers the consolidation of the Federal\ngovernment\xe2\x80\x99s external access points (including those to the Internet). This consolidation will result in a common\nsecurity solution which includes: facilitating the reduction of external access points; establishing baseline security\ncapabilities; and, validating agency adherence to those security capabilities.\n4\n  Page 7.1-2, FAR Section 7.103 states: "Agency-head responsibilities--- The agency head or a designee shall prescribe\nprocedures for ensuring that agency planners on information technology acquisitions comply with the information\ntechnology security requirements in the Federal Information Security Management Act (44 U.S.C. 3544)..."\n\n\n\nLeon Snead & Company, P.C.                                   6\n\x0c       number of external Internet connections for the entire government to 50. The\n       memorandum stated that "each agency will be required to develop a\n       comprehensive POA&M (Plan of Action and Milestones)" to implement TIC, but\n       it neither defined "agency" nor referred to any legal authority supporting the\n       initiative. FEC\xe2\x80\x99s Office of General Counsel (OGC) analyzed this document and\n       determined that since POA&Ms were required by FISMA or its predecessor\n       statute, and because this POA&M requirement appeared to be an expansion of an\n       existing requirement from which the Commission was exempt, the FEC was\n       exempt from TIC.\n\n       In a June 2009 memorandum to the Staff Director, OGC noted that on January 8,\n       2008, former President Bush signed Homeland Security Presidential Directive\n       (HSPD) Number 23 which authorizes the Department of Homeland Security\n       (DHS) to deploy Einstein 2, an automated intrusion detection system, across\n       Federal networks. Einstein 2 would allow the DHS, National Cyber Security\n       Division, and U.S. Computer Emergency Readiness Team (US-CERT) to\n       consolidate Federal system intrusion detection, incident analysis and cyber\n       response capabilities. HSPD-23 is classified; therefore, the specific authorizing\n       statute for the directive and the extent of its application to the Federal Election\n       Commission is unknown. The OGC stated that \xe2\x80\x9cWe confirmed with DHS on\n       November 12, 2008 that in DHS\xe2\x80\x99s view the Commission is within the scope of the\n       presidential directive. However, unclassified legal briefing materials provided by\n       the Department of Justice indicate that at least part of the directive may be\n       authorized by FISMA, from which the FEC is exempt. Thus, there is a possibility\n       that HSPD-23 is only partially applicable to the FEC, or is not applicable at all to\n       the FEC. Since the directive itself is classified, and limited unclassified\n       information has been released, we do not have sufficient information at this time\n       to confirm HSPD-23\'s applicability to the FEC.\xe2\x80\x9d\n\n       While it was DHS\xe2\x80\x99s position, as confirmed by the FEC GC in a memorandum\n       issued in August 2012 to the Staff Director, that the TIC was a critically important\n       IT security measure that was applicable to FEC; the FEC did not implement this\n       Presidential security initiative. Instead, FEC officials took no action to assess the\n       importance of this government-wide initiative or evaluate whether risks would be\n       reduced if FEC implemented this security requirement. As a result of this audit,\n       the FEC now agrees that the TIC initiative must be implemented. A failure by the\n       FEC to perform due diligence on this control as required in 2007, increased the\n       risk that the agency\xe2\x80\x99s network could have been exposed to a network intrusion or\n       other computer network attack.\n\n       Recommendations\n\n       1.\t Formally adopt as a model for FEC, the NIST IT security controls established\n           in FIPS 200 and SP 800-53, as the Government Accountability Office has\n           done.\n\n\n\n\nLeon Snead & Company, P.C.\t                    7\n\x0c           Agency Response\n           The Deputy CIO for Operations advised that the OCIO disagrees with this\n           recommendation. The FEC has adopted, and has put in place the necessary\n           security requirements and controls to ensure that the FEC IT systems are\n           secure. As an agency exempt from FISMA, the controls in place reflect the\n           appropriate level of security and acceptable risk to support the mission and\n           safeguard the data of the agency. The agency\'s security program is governed\n           by Directive 58 which consists of 34 policies, 8 distinct procedures, adoption\n           of 18 standards, all documented and signed and endorsed by the CIO.\n\n           Auditor\xe2\x80\x99s Comments\n           We continue to believe that the FEC\xe2\x80\x99s information and information systems\n           are at high risk because of the decision made by FEC officials not to adopt all\n           minimum security requirements that the Federal government has adopted,\n           including the GAO which is also exempt from FISMA requirements. We do\n           not dispute that the FEC has issued policies and procedures. Our position is\n           that these policies and procedures are not currently adequate to secure FEC\xe2\x80\x99s\n           information and information systems. As discussed above, had FEC not\n           declined to adopt mandatory security procedures included in the \xe2\x80\x9ctrusted\n           internet connection,\xe2\x80\x9d even after the DHS advised the requirement was\n           applicable to FEC, risk to the agency computer network could have been\n           minimized.\n\n       2.\t Revise FEC policies to require that FEC contractors adhere to the FAR\n           FISMA related requirements, and mandate that FEC contractors follow\n           FISMA IT controls when providing services to the federal government. Use\n           NIST SP 800-53 as guidance for establishing IT controls that contractors must\n           follow.\n\n           Agency Response\n           The Deputy CIO for Operations advised that the OCIO disagrees with this\n           recommendation. As a FISMA exempt agency, the FEC incorporates language\n           and is supported by FAR clauses that address the level of security necessary to\n           safeguard agency security in all of its contracts. This language was agreed to\n           by the agency contracting officer and ISSO, contractors are required to adhere\n           to the same level of security that FEC employees are.\n\n           Auditor\xe2\x80\x99s Comments\n           FEC should not use the agency\xe2\x80\x99s FISMA exemption to also exempt its\n           contractors from meeting minimum federal government IT security\n           requirements. The federal government has established a comprehensive IT\n           services contracting process that assures that minimum security requirements\n           are met, including the requirement of a continuous monitoring process over\n           these IT services. If FEC continues to refuse to adopt these federal\n           requirements, the agency will be required to stand alone in its development of\n\n\n\n\nLeon Snead & Company, P.C.\t                   8\n\x0c           IT security controls, and complete a duplicate and ineffective continuous\n           monitoring process.\n\n       3.\t Develop a time-phased corrective action plan to address the prompt\n           implementation of the TIC by FEC. Ensure that TIC is implemented as soon\n           as possible, but no later than June 2013.\n\n           Agency Response\n           The Deputy CIO for Operations advised that the OCIO agrees with this\n           recommendation that the FEC must now comply with TIC. In light of new\n           information provided to the FEC in August 2012, that requires the FEC to\n           implement TIC, the FEC will develop a plan to address TIC implementation.\n           This plan will be developed dependent upon the availability of resources\n           required, and we cannot commit to a specific timeframe until a detailed\n           analysis of what is required is performed. The FEC is scheduled to meet with\n           Commerce Department to discuss lessons learned.\n\n           Auditor\xe2\x80\x99s Comments\n           The OCIO agreed to implement this recommendation; however, the agency\n           would not commit to a specific timeframe for completion. It has been almost\n           four years since the DHS advised the agency that the implementation of TIC\n           was a requirement for FEC. We believe that this Presidential initiative should\n           be implemented immediately, and until the agency fully implements this\n           project, the agency\xe2\x80\x99s information and information systems remain at high risk.\n\n       4.\t Revise FEC policies and procedures to require a documented, fact-based risk\n           assessment prior to deciding not to adopt a government-wide IT security best\n           practice, or IT security requirement contained in the Federal Acquisition\n           Regulations. Require the CIO to approve and accept the risk of any deviation\n           from government-wide IT security best practices (i.e. NIST, FAR IT controls)\n           that are applicable to the FEC business operations. Retain documentation of\n           these decisions.\n\n           Agency Response\n           The Deputy CIO for Operations advised that the OCIO disagrees with this\n           recommendation. The Office of General Counsel provides opinion on which\n           government-wide security requirements are applicable to this agency, based\n           upon specific exemptions granted by Congress. If the agency is indeed\n           exempted from a requirement, the OCIO will determine whether or not the\n           agency will establish and maintain "best practice" of that exemption within\n           the resources available. Documentation of the opinion of the agency\'s General\n           Counsel on each exemption of applicable law or regulation is maintained on\n           file.\n\n\n\n\nLeon Snead & Company, P.C.\t                   9\n\x0c             Auditor\xe2\x80\x99s Comments\n             The FEC\xe2\x80\x99s information and information systems will continue to remain at\n             risk until the agency begins to make documented, risk-based IT security\n             decisions. Currently, FEC\xe2\x80\x99s IT security decisions appear to be based\n             primarily upon whether the agency is legally exempt from the government-\n             wide requirement, instead of a determination that implementation of the\n             security requirement would make the agency\xe2\x80\x99s information and information\n             systems more secure. As noted above, the agency failed to implement one of\n             the President\xe2\x80\x99s top IT security priorities because the agency erroneously\n             believed it may have been indirectly linked to the legislation that implemented\n             FISMA.\n\n    B. Access Controls\n\n        FEC\xe2\x80\x99s access controls do not meet best practice controls, and in some instances\n        FEC policies. Our tests of this key IT security control identified the following\n        problems:\n\n        User Accounts: Passwords are the keys to accessing FEC\xe2\x80\x99s general support\n        system (GSS) and related information and information systems, and provide\n        front-end access to FEC\xe2\x80\x99s accounting, financial management and payroll systems.\n        Therefore, the strength of FEC\xe2\x80\x99s access controls and passwords is critically\n        important. We have reported since 2009 that the password requirements\n        established by FEC are weak, and do not meet OMB mandated government-wide\n        requirements for password strength (see issues below for further details). Because\n        FEC is exempt from the legislation underlining OMB requirements relating to this\n        area, FEC officials have elected not to implement several of the minimum\n        government-wide requirements for strengthening passwords. The agency did not\n        have any documentation to support this decision.\n\n        Accounts with Passwords that Never Expire: During our review of access\n        controls, we obtained a listing of user accounts with passwords set never to expire\n        (therefore, the same password would be used for this account until either this\n        setting is changed, or the account\xe2\x80\x99s password is changed manually). From a total\n        listing of about 570 accounts, approximately 140 accounts had passwords without\n        expiration dates. We identified that approximately 100 of the 140 accounts had\n        passwords that had not been changed since 2010. According to the records\n        provided, approximately 80 of the 140 accounts had not had a password change\n        since 2007, and a large number of these dated to 1998. In addition, our analysis\n        of the records provided, found approximately 40 of the 140 accounts listed as\n        active users were shown as having never logged into the accounts. Further, we\n        noted that many of these accounts contained some form of administrator 5\n        authority for selected areas or network operations.\n\n5\n The term used for an account that has access privileges that a normal account would not be allowed to\nobtain. In most cases, for the system or network on which it is located, the administrator account could\nhave almost unlimited authority.\n\n\n\nLeon Snead & Company, P.C.                            10\n\x0c        Disabled Accounts Remain on Active Directory: As part of our analysis of\n        user accounts, we noted that approximately 400 apparently disabled user accounts\n        remained on the active directory. The records provided by OCIO showed that the\n        accounts had never logged into the network. OCIO officials advised that a review\n        will be conducted of these accounts this year.\n\n        Processes for Assigning Replacement and Initial Passwords 6: We requested\n        all FEC policies and operating procedures relating to this area for testing.\n        However, we were advised by OCIO officials that the FEC does not have written\n        policies or operating procedures for establishing initial account passwords or\n        replacement passwords. OCIO officials stated that \xe2\x80\x9cWhen systems administrators\n        (SAs) are notified, through the FEC System Access (FSA) system, that there is a\n        need to establish an account, the SA then establishes an account with a generic\n        password of his or her choosing; this is not recorded for security reasons. Then\n        either through the new hire orientation program, or through the help desk, the\n        person is instructed to change this password and it must be changed before access\n        to the system is granted.\xe2\x80\x9d\n\n        The absence of specific FEC policies and operating procedures prevents FEC\n        from setting requirements for this important area. For example, as discussed\n        below, we identified that a FEC issued default password had not been changed in\n        six months. Because of the absence of appropriate controls in this area, we were\n        able to obtain access to other contractor personnel email accounts using this\n        default password.\n\n        Login Passphrase for Contractors: An audit report released by OIG, 2010\n        Follow-Up Audit of Privacy and Data Protection, Federal Election Commission,\n        Audit Report Number OIG-10-03, contained a finding related to access controls,\n        the Inspector General stated, \xe2\x80\x9cWe were informed by the Information Systems\n        Security Officer that encrypted laptops assigned to contractors use an encryption\n        passphrase assigned by the FEC. This is done to allow access to the information\n        on the laptop if the contractor suddenly or unexpectedly departed the FEC. This\n        process differs from that of FEC employees, who choose their own unique\n        passphrase. Based on mobile devices assigned to contract auditors as part of\n        another follow-up audit, it appears the same passphrase is used for all contractors.\n        The passphrase assigned to contractors is not suitably complex, is relatively\n        intuitive, and could be easily guessed or \xe2\x80\x9chacked\xe2\x80\x9d by using basic password\n        detection or \xe2\x80\x9ccracking\xe2\x80\x9d software. The lack of a unique secret passphrase for each\n\n6\n  These terms are used to describe that part of password administration (authentication controls) when a\npredetermined password is provided to a new user during initial login process and when replacement\npasswords are provided to existing users who are unable to login with an existing password (e.g. password\nis forgotten). We experienced difficulty in finalizing our audit testing of the policies, procedures and\nprocesses FEC follows when assigning replacement and initial passwords for users\xe2\x80\x99 network accounts.\nBecause of the departure of a key OCIO official and other reasons, delays occurred in obtaining necessary\ndocumentation to enable us to complete testing for this area. However, based upon the information\nprovided, we have identified areas where policies, procedures and processes are absent, or need\nimprovement.\n\n\n\nLeon Snead & Company, P.C.                            11\n\x0c        individual increases the risk that the data on that laptop could be accessed by an\n        unauthorized individual.\xe2\x80\x9d\n\n        We followed up on this issue and confirmed that the problem reported by the\n        auditors in 2010 continued in 2012. For example, the same passphrase for\n        contractor laptops has been used since 2009, and cannot be changed by the\n        contractor. We agree with the prior auditors\xe2\x80\x99 conclusion that this weakness\n        substantially negates the effectiveness of this control.\n\n        Remote Access: During our audit, we identified that FEC had recently purchased\n        approximately 150 laptop computers for use by FEC employees. These laptops\n        can be used to access the FEC system remotely when the employees are working\n        offsite. We identified that these laptops currently are not configured to use two-\n        factor authentication, as required by best practices and FEC policies.\n\n        Recommendations\n\n        5.\t Immediately implement government-wide requirements relating to\n            strengthened password controls.     Revise FEC policies and operating\n            procedures to require the minimum best practices controls contained in FDCC\n            and USGCB 7.\n\n            Agency Response\n            The Deputy CIO for Operations advised that the OCIO does not agree with\n            this recommendation. The agency\'s password standard contains sufficiently\n            strong password controls for the classification of this agency.\n\n            Auditor\xe2\x80\x99s Comments\n            FEC advised that the password controls for the agency are sufficient for the\n            classification of this agency. However, government-wide best practices as\n            established by OMB and endorsed by the council of CIOs require that\n            passwords contain twelve characters. These controls are applicable to the risk\n            rating of the FEC general support system.\n\n        6.\t Undertake a comprehensive review of user accounts that have been granted\n            non-expiring passwords. Require certification from account owners detailing\n            the need for non-expiring accounts, including the development of other\n            alternatives, before reauthorizing the accounts\xe2\x80\x99 access. Develop FEC policies\n            and operating procedures to implement this recommendation.\n\n\n\n7\n  Federal Desktop Core Configuration (FDCC) and United States Government Configuration Baseline\n(USGCB) are requirements that OMB have set for government-wide security settings directing agencies\nwith Windows deployed operating system to adopt the security configurations developed by the National\nInstitute of Standards and Technology (NIST), the Department of Defense (DoD) and the Department of\nHomeland Security (DHS).\n\n\n\nLeon Snead & Company, P.C.\t                         12\n\x0c       7.\t Whenever possible, require accounts with non-expiring passwords to be\n           changed at least annually. Establish substantially more robust password\n           requirements for accounts granted non-expiring passwords. Develop FEC\n           policies and operating procedures to implement this recommendation.\n\n       8.\t Immediately terminate those accounts with non-expiring passwords that have\n           not accessed their accounts within the last 12 months. Develop FEC policies\n           and operating procedures to implement this recommendation.\n\n           Agency Response (Recommendations 6 through 8)\n           The Deputy CIO for Operations advised that the OCIO agrees in part with\n           these recommendations. There are no user accounts that have been granted\n           non-expiring passwords. The only accounts that have non-expiring passwords\n           are accounts that have been established as administrative accounts or\n           application accounts that need to be set up to run applications. These accounts\n           are only accessible by systems administrators in the performance of \xe2\x80\x9csys\n           admin\xe2\x80\x9d duties. There are such accounts that have been established in the past\n           that are no longer required, and we are reviewing these accounts for\n           applicability. The operating procedures that are followed in this process are\n           standard system administration functions performed by qualified system\n           administrators. The account review will be completed by July 2013.\n\n           Auditor\xe2\x80\x99s Comments (Recommendations 6 through 8)\n           We continue to believe that the recommendations should be implemented by\n           FEC, in total, based upon the problems noted with these accounts.\n\n       9.\t Remove the 400 disabled accounts noted during this audit by the end of the\n           calendar year, and on a semi-annual basis conduct a review of the active\n           directory to remove disabled accounts. Revise FEC policies and operating\n           procedures to implement this recommendation.\n\n           Agency Response\n           The Deputy CIO for Operations advised that the disabled accounts remain in\n           the list of accounts for historical purposes, and will be reviewed as part of the\n           actions taken for recommendations 2-4.\n\n           Auditor\xe2\x80\x99s Comments\n           We continue to believe that the recommendation should be implemented by\n           FEC based upon the problems noted with these accounts.\n\n       10. Strengthen controls over the establishment of initial and replacement (default)\n           passwords, to include requiring that random passwords be used, and the\n           default passwords used be changed monthly. Develop FEC policies and\n           operating procedures to implement this recommendation.\n\n\n\n\nLeon Snead & Company, P.C.\t                    13\n\x0c           Agency Response\n           The Deputy CIO for Operations advised that the OCIO disagrees with this\n           recommendation. The FEC password standard is documented and followed by\n           the FEC. The password standard is adequate for the security level of this\n           agency.\n\n           Auditor\xe2\x80\x99s Comments\n           We continue to believe that the recommendation should be implemented by\n           FEC based upon the problems noted with these accounts.\n\n       11. Research and fix the problem that enables use of a default password to access\n           other contractor email accounts.\n\n           Agency Response\n           The Deputy CIO for Operations advised that the OCIO agrees with this\n           recommendation. FEC will research this issue, but policy dictates that each\n           contractor that requires an email account has a unique password.\n\n           Auditor\xe2\x80\x99s Comments\n           Since the FEC agreed to this recommendation, we have no additional\n           comments.\n\n       12. Establish procedures that require contractors to create their own unique login\n           passphrase.\n\n           Agency Response\n           The Deputy CIO for Operations advised that the OCIO agrees with this\n           recommendation. The FEC will research this recommendation to ensure that\n           all FEC policies are applied equally, unless a unique exemption is\n           documented.\n\n           Auditor\xe2\x80\x99s Comments\n           Since the FEC agreed to this recommendation, we have no additional\n           comments.\n\n       13. Require all employees and contractors with remote access to FEC\xe2\x80\x99s networks\n           to comply with the dual-factor authentication requirement for their FEC\n           laptop, as federal and FEC policies mandate.\n\n           Agency Response\n           The Deputy CIO for Operations advised that the OCIO agrees with this\n           recommendation. The FEC does require all employees and contractors to\n           comply with dual factor authentication. The agency requires a password and a\n           secure key or HSPD-12 ID to affect dual authentication. The agency is\n           currently in transition from secure key to HSPD-12 ID\'s and expects to\n           complete the transition by March 2013.\n\n\n\nLeon Snead & Company, P.C.                    14\n\x0c           Auditor\xe2\x80\x99s Comments\n           While FEC officials agreed with this recommendation, and stated that the\n           agency requires dual factor authentication, FEC currently has up to 150\n           laptops in service that currently do not have dual factor authentication and can\n           remotely access the FEC network.\n\n   C. A System to Recertify Users Access Authorities is Needed\n\n       FEC has not developed an effective process to periodically review user access\n       authorities by the users\xe2\x80\x99 supervisors, even though agency officials agreed to\n       implement this recommendation in response to our 2009 financial statement audit.\n       Auditing standards required our follow up on the actions taken by FEC to address\n       this problem. FEC officials indicated that a new approach to implementing this\n       control process would be associated with the FEC\xe2\x80\x99s \xe2\x80\x9cLivelink\xe2\x80\x9d project. However\n       there was no documentation provided to support that this process was being\n       implemented into \xe2\x80\x9cLivelink,\xe2\x80\x9d and we were advised that \xe2\x80\x9cLivelink\xe2\x80\x9d was never\n       meant to provide a means for users\xe2\x80\x99 supervisors to review their employees\xe2\x80\x99 access\n       authorities.\n\n       In meetings with the CIO and Deputy CIO for Operations we were advised that\n       the FEC still had not developed a method for performing periodic reviews of user\n       access authorities. The CIO indicated that this project was one that the FEC\n       wanted to implement, and when the new CISO was on board the OCIO would\n       again address this project. FEC is at unnecessary risk, and is not in compliance\n       with best practice control processes and its own policies. Without periodically\n       performing a review of user access authorities, FEC officials do not have\n       assurance that users only have access to information and information systems that\n       are necessary to accomplish job responsibilities, resulting in a recent incident of\n       an FEC employee having unauthorized access to information on network files.\n\n       Recommendations\n\n       14. Establish an FEC policy that requires annual recertification of users\xe2\x80\x99 access\n           authorities.\n\n       15. Review FEC current system capabilities in implementing recertification of\n           user access authorities. Develop and document a detailed project plan based\n           on management\xe2\x80\x99s review, and assign sufficient resources to this project so that\n           it can be completed on or prior to June 2013.\n\n           Agency Response (Recommendations 14 and 15)\n           The Deputy CIO for Operations advised that the OCIO disagrees with these\n           recommendations. Annual recertification is not necessary and would be\n           redundant with the procedures of the agency\'s FEC System Access system.\n           All access requests and removals are recorded in the agency\'s FSA. Access\n           remains in effect until the request for removal is submitted.\n\n\n\nLeon Snead & Company, P.C.                     15\n\x0c           Auditor\xe2\x80\x99s Comments (Recommendations 14 and 15)\n           Since we first reported that FEC needed to perform a recertification of user\n           access authorities, and made recommendations in our 2009 financial statement\n           audit report, FEC officials have agreed to implement this recommendation. In\n           a recent meeting in September 2012, senior agency officials confirmed that\n           the agency intended to implement a recertification process. OCIO officials\n           have now changed the agency\xe2\x80\x99s position and disagree with our\n           recommendation. OCIO officials advised that the FSA system provides this\n           recertification control, and a separate independent recertification of user\n           access authorities would be redundant. However, there can never be full\n           assurance that the FSA system will actually reflect the status of network users\n           in active directory. The recertification of active users must come from the\n           original controlling files \xe2\x80\x93 active directory. FSA does not provide an accurate\n           snapshot of users\xe2\x80\x99 access authorities. For example, we identified five\n           separated contractors listed as active users in the FSA system, and having\n           access to FEC\xe2\x80\x99s network although they no longer worked for the FEC. We\n           have noted similar problems with the system in prior audits. In addition, FSA\n           allows FEC personnel who are not managers or supervisors to grant network\n           access to other FEC staff. These requests are not required to be approved or\n           reviewed by a supervisor and/or manager prior to granting access. Further, all\n           managers and supervisors do not have access to FSA, and have not been\n           trained on FSA in order to periodically review FEC personnel access\n           authorities. Therefore, in its current state, FSA cannot be used as an accurate\n           source for recertification of user\xe2\x80\x99s access authorities. Without such a control,\n           FEC will continue to experience problems with separated personnel retaining\n           network access as we have reported since our 2009 audit.\n\n   D. Certification and Accreditation Controls\n\n       FEC\xe2\x80\x99s Certification and Accreditation Controls need to be strengthened to ensure\n       that appropriate IT security controls are in place and operating as designed. FEC\n       has not performed a certification review of its key medium risk GSS since\n       December 2008. In addition, our review of FEC IT policies identified that FEC\n       needs to strengthen FEC policy 58.2.4, Certification and Accreditation (C&A)\n       Policy, issued September 2004, to provide additional guidance on what decision\n       points drive when a new C&A is required, and to provide specific documentation\n       requirements to be maintained in order for the agency to track changes made to\n       systems, and to make informed decisions on when major changes drive the need\n       for a re-certification. OMB best practices require that a re-certification review be\n       performed at least every three years.\n\n       FEC performed a certification of its general support system, using NIST SP 800\xc2\xad\n       53 as guidance, and issued a security controls assessment report (SCAR) in\n       December 2008. The CIO accredited the system in January 2009 with authority\n       to operate until January 15, 2010. The SCAR identified a significant number of\n       high and medium risks, and FEC developed a corrective action plan to address\n\n\n\nLeon Snead & Company, P.C.                     16\n\x0c       most weaknesses. Some of the weaknesses FEC decided not to implement\n       because the agency is \xe2\x80\x9cexempt from FISMA.\xe2\x80\x9d\n\n       We discussed the importance of C&A controls, the status of a new C&A on the\n       GSS, whether the certification would follow NIST guidelines, and the date the\n       certification would take place with the prior CISO and the Deputy CIO for\n       Operations. We also requested information on how the agency determined when\n       changes made to the GSS, individually or in aggregate, modified or upgraded the\n       system in a way that impacted information security and assurance, and therefore\n       warranted a new C&A. We were advised that the agency is planning to perform\n       another C&A, but a date has not been set, and a decision has not made on whether\n       the agency would use NIST SP 800-53 as the guidance document. In addition,\n       OCIO officials were unable to provide information as to how the agency made\n       determinations that changes to the GSS met the FEC standard that would require\n       another C&A.\n\n       Recommendations\n\n       16. Revise FEC policies to: require a certification of its systems at least once\n           every three years.\n\n           Agency Response\n           The Deputy CIO for Operations advised that the OCIO does not agree with\n           this recommendation. Recertification is addressed in policy 58-2.4. FEC\n           performed the Certification and Accreditation of systems pursuant to the first\n           iteration of NIST SP 800-37 which recommended continuous monitoring of\n           selected security controls, plus comprehensive testing of all security controls\n           and reauthorization every three years. However, the new framework (NIST\n           SP 800-37 rev1, Risk Management Framework) provides a more dynamic\n           approach which leverages robust continuous monitoring to support on-going\n           authorization and risk management as part of a more steady state, less cyclical\n           process. The FEC is investigating this as an option.\n\n           Auditor\xe2\x80\x99s Comments\n           The OCIO is correct that the risk management framework discusses a robust\n           continuous monitoring framework, similar to the recommendations that we\n           have been making since our 2009 audit report. FEC has not performed a\n           complete assessment of the GSS, either through continuous monitoring or as a\n           periodic assessment since the first assessment was completed in December\n           2008, almost four years ago. OMB Circular A-130, Appendix III, provides\n           that agencies should \xe2\x80\x9creview the security controls in each system when\n           significant modifications are made to the system, but at least every three\n           years.\xe2\x80\x9d\n\n       17. Perform a re-certification of the GSS using NIST SP 800-53 as review criteria\n           within this calendar year.\n\n\n\nLeon Snead & Company, P.C.                    17\n\x0c           Agency Response\n           The Deputy CIO for Operations advised that the OCIO disagrees with this\n           recommendation. Recertification of any FEC system will be performed in\n           accordance with policy 58-2.4\n\n           Auditor\xe2\x80\x99s Comments\n           FEC policy 58-2.4 is in need of substantial revision. The FEC policy\n           discusses that all FEC major applications and general support systems shall be\n           re-certified/re-accredited when modified or upgraded in a way that impacts\n           information security and assurance, or in response to changes in the risk\n           environment. However, when we inquired as to how the agency determines,\n           individually and in aggregate, when system modifications or upgrades impacted\n           the system\xe2\x80\x99s security, OCIO officials were unable to provide a meaningful\n           response. In addition, when we requested documentation of such reviews and\n           decisions on system changes, such as the changes made for the FEC System\n           Access module, or the changes made for the Enterprise Content Management,\n           OCIO officials were unable to provide any documentation of such analyses.\n\n           We continue to believe that a new security assessment, completed in accordance\n           with the NIST SP 800-37, Risk Management Framework, needs to be\n           completed as soon as possible.\n\n       18. Strengthen FEC Policy 58.2.8 so that it provides additional guidance on what\n           decision points drive when a new C&A is required; and specific\n           documentation requirements that need to be maintained in order for the\n           agency to track changes so it can make informed decisions on when major\n           changes drive the need for a re-certification.\n\n           Agency Response\n           The Deputy CIO for Operations advised that the OCIO agrees in part. The\n           FEC is in consultation with the Department of Commerce will obtain lessons\n           learned and perform a cost-benefit analysis on potentially implementing the\n           new recommendation by NIST in lieu of prior Certification and Accreditation\n           recommendation. FEC does not have a startup, or finish date to implement\n           the new Risk Management Framework due to unknown cost at this time.\n           However, FEC hopes to implement in fiscal year 2014, if funding is available.\n\n           Auditor\xe2\x80\x99s Comments\n           While agency officials agreed with the recommendation, in part, we believe\n           that the problems discussed in this report support the recommendation.\n           Without full adoption of the recommendation, FEC information and\n           information systems will remain at high risk.\n\n\n\n\nLeon Snead & Company, P.C.                    18\n\x0c    E. Vulnerability Scanning\n\n         Problems related to FEC\xe2\x80\x99s vulnerability scanning 8 program reported in our 2011\n         and prior audit reports have not been addressed by FEC. While the FEC had\n         established a vulnerability scanning program; the program did not meet best\n         practices in several key areas. For example, individual workstations were\n         excluded from the scanning process \xe2\x80\x93 a significant omission, and vulnerabilities\n         identified in the components of the general support system that were scanned,\n         were not mitigated timely.\n\n         We identified that about 60 percent of the 250 vulnerabilities identified in the\n         agency\xe2\x80\x99s 2012 scanning report had also been identified in scans performed by the\n         agency in 2011. In addition, we continued to find that improvements are needed\n         in the agency\xe2\x80\x99s patching system 9. For example, about 65 percent of the\n         vulnerabilities identified in the agency\xe2\x80\x99s 2012 scan results related to outdated\n         versions of software or inadequate patching of systems. These vulnerabilities\n         would have been mitigated had FEC implemented an effective patch management\n         program.\n\n         Recommendations\n\n         19. Include all components of the general support system, including workstations,\n             into the organization\xe2\x80\x99s vulnerability/security scanning process and ensure that\n             the general support system in its entirety is assessed at least annually.\n\n             Agency Response\n             The Deputy CIO for Operations advised that the OCIO agrees in part with this\n             recommendation. All components of the general support system, including\n             workstations have been recently scanned for vulnerability and security. The\n             report of this scanning will be available in November and the confidential\n             results will determine the frequency of future scans. The OCIO disagrees on\n             the need for a semi-annual assessment. Frequency of vulnerability scanning\n             will be determined based upon results of scan and available resources and\n             funding.\n\n\n\n\n8\n  NIST controls for a vulnerability scanning program include: performing scans for vulnerabilities in the\ninformation system and hosted applications on a periodic basis; checklists and procedures for the scanning\nprogram; processes for analyzing vulnerability scan reports; and processes for remediating legitimate\nvulnerabilities.\n9\n  NIST defines patch management as the process for identifying, acquiring, installing, and verifying patches\nfor products and systems. Patches correct security and functionality problems in software and firmware.\nFrom a security perspective, patches are most often of interest because they are mitigating software flaw\nvulnerabilities; applying patches to eliminate these vulnerabilities significantly reduces the opportunities\nfor exploitation. Also, patches are usually the most effective way to mitigate software flaw vulnerabilities,\nand are often the only fully effective solution.\n\n\n\nLeon Snead & Company, P.C.                              19\n\x0c           Auditor\xe2\x80\x99s Comments\n           Because of the number and age of the vulnerabilities identified in agency\n           scans, and the exclusion of workstations from periodic scans, we continue to\n           believe that this recommendation should be implemented.\n\n       20. Implement procedures to ensure that scan results are subject to a \xe2\x80\x9croot cause\xe2\x80\x9d\n           analysis to ensure that remediation actions address technical as well as\n           organizational processes and procedures.\n\n           Agency Response\n           The Deputy CIO for Operations advised that the OCIO disagrees with this\n           recommendation. The agency\xe2\x80\x99s current processes contained in Directive 58\xc2\xad\n           2.1 addresses root cause analysis, and it\'s role in mitigation techniques.\n\n           Auditor\xe2\x80\x99s Comments\n           While FEC policy 58-2.1 provides \xe2\x80\x9cThis policy takes into consideration:\n           Threat/vulnerability identification and root cause analyses,\xe2\x80\x9d our 2012 and\n           prior audit tests found that these analyses were not effectively performed. For\n           example, our 2010 and 2011 audit reports identified that a large number of\n           vulnerabilities that were identified by the agency were related to outdated\n           software and inadequate patching. We also noted that many of the issues had\n           been included in more than one scanning report. A \xe2\x80\x9croot cause\xe2\x80\x9d analysis of\n           the scanning results would have identified that the FEC\xe2\x80\x99s patch management\n           system was not working properly, and that additional corrective actions were\n           necessary.\n\n       21. Strengthen controls to ensure that vulnerabilities identified through the\n           vulnerability scanning tests are remediated within 30 days, or document\n           acceptance of these risks.\n\n           Agency Response\n           The Deputy CIO for Operations advised that the OCIO agrees in part with this\n           recommendation. The FEC will address level 1 threats, within the 30 day\n           requirement. Threats of a lesser nature will be dealt with as soon as possible\n           depending on staff and budget restrictions. The policies and procedures\n           established in Directive 58, address all this recommendation, and are deemed\n           to meet the requirements of the FEC.\n\n           Auditor\xe2\x80\x99s Comments\n           FEC officials agreed in part with this recommendation. While FEC officials\n           plan to address more significant threats within 30 days, the officials did not\n           provide a timeframe for completing other risks identified in the agency scans.\n           We believe that the agency directives are in need of revision, and should\n           address the problems noted in this report.\n\n\n\n\nLeon Snead & Company, P.C.                    20\n\x0c     F. Configuration Security Controls and FDCC/USGCB Requirements\n\n         While FEC has incorporated workstations into the change management 10\n         framework which addressed a problem we identified in our prior audits, the\n         agency\xe2\x80\x99s change management process relies on the manual recording of all\n         system changes in an outside application. As reported in our 2011 audit, there\n         was no effective process in place to identify all changes to the configuration of\n         FEC\xe2\x80\x99s system, and no logs identifying changes to the system are collected.\n         Therefore, there is reduced assurance that all changes are processed under the\n         agency\xe2\x80\x99s change management framework, or that changes made outside the\n         framework will be identified.\n\n         In addition, while FEC has issued configuration baseline standards for a number\n         of its systems, these standards have not been fully implemented for the computers\n         we tested. We compared the FEC provided configuration settings to several\n         laptop computers, and identified that the baseline configuration standards were\n         not fully implemented for any of the computers we tested. For workstations and\n         configuration standards tested, we identified that 5 of the 15 baseline\n         configuration standards settings had not been implemented. We also noted that\n         two of the configuration settings could be changed by the user, as users were\n         provided administrative rights to the local machine. The current FEC baseline\n         configuration standards require that on Windows XP machines the \xe2\x80\x9cadministrator\n         account\xe2\x80\x9d be renamed and that access to administrator authorities is limited to only\n         those users requiring such access. However, based on the computer settings we\n         reviewed, users had been given administrator rights allowing them to change local\n         settings.\n\n         As we have reported since our 2009 audit, FEC has not fully implemented\n         security control requirements that OMB mandated in 1997 for Windows\n         computers.    FEC has established a project to adopt \xe2\x80\x9cselected\xe2\x80\x9d control\n         requirements, and estimates that full implementation of \xe2\x80\x9cselected\xe2\x80\x9d controls will\n         not be implemented until the end of 2012. Our tests found the following non\xc2\xad\n         compliant requirements that can be easily implemented and strengthen FEC\xe2\x80\x99s\n         network:\n\n\n\n\n10\n  The objective of change management is to ensure that standardized methods and procedures are used for\nefficient and prompt handling of all changes to control IT infrastructure, in order to minimize the number\nand impact of any related incidents upon service. Changes in the IT infrastructure may arise reactively in\nresponse to problems or externally imposed requirements, e.g. legislative changes, or proactively from\nseeking improved efficiency and effectiveness or to enable or reflect business initiatives, or from programs,\nprojects or service improvement initiatives. Change Management can ensure standardized methods,\nprocesses and procedures which are used for all changes, facilitate efficient and prompt handling of all\nchanges, and maintain the proper balance between the need for change and the potential detrimental impact\nof changes.\n\n\n\nLeon Snead & Company, P.C.                              21\n\x0c          Access Control Objective       FEC Settings        FDCC                Meets or\n                                                          Requirements         exceed OMB\n                                                                              Requirements\n        Enforce password history      5 passwords         24                      No\n\n        Maximum password age          180 days            60                      No\n\n        Minimum password age          0 days              1                       No\n\n        Minimum password length       8 characters        12 characters           No\n\n       Recommendations\n\n       22. Implement baseline configuration standards for all workstations.\n\n       23. Fully implement USGCB/FDCC standards and perform scanning of Internet\n           Explorer configuration settings.\n\n           Agency Response (Recommendations 22 and 23)\n           The Deputy CIO for Operations advised that the OCIO agrees with these\n           recommendations. The FEC is in the process of implementing baseline\n           configuration. The CIO estimated the completion date as the summer 2013.\n\n           Auditor\xe2\x80\x99s Comments (Recommendations 22 and 23)\n           Since the agency agreed to implement these recommendations, we have no\n           additional comments.\n\n       24. Implement logging of all configuration changes and review logs regularly to\n           ensure that all system changes, including changes to workstations, are\n           processed through the change management framework.\n\n           Agency Response\n           The Deputy CIO for Operations advised that the OCIO believes that the\n           current processes are in compliance with the recommendation. All change\n           management processes are logged and maintained by the Change Advisory\n           Board.\n\n           Auditor\xe2\x80\x99s Comments\n           While the current GSS security plan states that an automated system logging\n           of configuration changes is in place for network components, our audit tests\n           determined that FEC personnel had not been consistently reviewing the\n           system logs. Instead, we found that FEC\xe2\x80\x99s current change management\n           process relies on a manual process in which personnel are to record\n           configuration changes into a tracking system. However, there is no process in\n           place to compare the system logs being generated on these network\n           components to those configuration changes recorded in the manual tracking\n           system. A comparison would identify configuration changes that were made\n           outside the current change management process, and also reveal policy\n\n\n\nLeon Snead & Company, P.C.                     22\n\x0c           deviations. Further, based on the FDCC/USGCB evaluation performed by the\n           agency, the system logging capabilities available on the workstations have not\n           been implemented. Therefore, there is no assurance that all changes are\n           identified and managed through the Change Advisory Board, and the current\n           change management framework.\n\n   G. Personnel Security Controls\n\n       Follow up on the actions taken by FEC to address recommendations in our 2011\n       report identified the following unresolved personnel security control issues:\n\n         \xe2\x80\xa2\t While improvements were noted in controls related to separated FEC\n            employees, we did note that for five FEC employees tested, one was not\n            removed within the one day requirement established in FEC procedures.\n            The employee\xe2\x80\x99s network access was terminated seven days after separation.\n\n         \xe2\x80\xa2\t Our tests of FEC contractors who had access to FEC\xe2\x80\x99s network showed five\n            separated contractor employees were listed in the FEC System Access\n            (FSA) system as active users indicating weaknesses in the agency\xe2\x80\x99s main\n            application for tracking employees/contractors network access.\n\n       Recommendations\n\n       25. Review the conditions that caused the employee to retain network access\n           beyond the FEC\xe2\x80\x99s standard, and strengthen controls as appropriate.\n\n           Agency Response\n           The Deputy CIO for Operations advised that the OCIO has reviewed the\n           condition and it was due to the nature of the person\xe2\x80\x99s position. The employee\n           was allowed to retain access beyond the FEC\'s standard due to a human\n           bypass of FSA policy. The employee was allowed to exit the agency without\n           completing the FSA process. The FSA process and policy was put in place to\n           preclude any human intervention.\n\n           Auditor\xe2\x80\x99s Comments\n           We are uncertain of the agency\xe2\x80\x99s response to this recommendation. However,\n           we continue to believe an analysis of the problems that continue to impact the\n           prompt removal of network access for separated personnel needs to be\n           performed. We have reported problems related to continued network access\n           for separated personnel since our 2009 audit report, and the prior financial\n           statement auditors reported similar problems in their 2008 audit report.\n\n       26. Review the FSA database and remove those personnel shown as current\n           employees or contractors who have departed the agency.\n\n\n\n\nLeon Snead & Company, P.C.\t                   23\n\x0c           Agency Response\n           The Deputy CIO for Operations advised that the OCIO disagrees with this\n           recommendation. To maintain historical records, employees that have\n           departed will be kept in the system even though their access rights are\n           disabled.\n\n           Auditor\xe2\x80\x99s Comments\n           The agency\xe2\x80\x99s response does not address our recommendation. Contractors\n           listed in FSA as currently on-board had, in fact, separated, in some cases years\n           ago.     We continue to believe that the FEC should implement this\n           recommendation to reduce the risk of unauthorized access.\n\n   H. Oversight and Monitoring of IT Corrective Actions\n\n       FEC has not timely implemented actions necessary to remediate identified\n       weaknesses in IT controls, some of which were first reported in 2008. We\n       reviewed financial statement audit reports along with other reports issued since\n       2008 to determine whether the FEC has timely and effectively implemented\n       controls on weaknesses that FEC officials agreed to correct.\n\n       The results of our review of open financial statement audit recommendations are\n       discussed in detail in Attachment 1.\n\n       Recommendations\n\n       27. Review all outstanding audit recommendations contained in the agency\xe2\x80\x99s\n           financial statement audit reports, and develop a current, detailed, time-phased\n           corrective action plan (CAP) for each audit finding and recommendation.\n\n           Agency Response\n           The Deputy CIO for Operations advised that the OCIO disagrees with this\n           recommendation since there is already an agreement in place with OIG that\n           CAP\'s are updated twice per year in May and November.\n\n           Auditor\xe2\x80\x99s Comments\n           Management\xe2\x80\x99s May and November CAP updates have been required by\n           Commission Directive 50: Audit Follow-up since 2006, and are not the result\n           of \xe2\x80\x9can agreement in place with the OIG\xe2\x80\xa6.\xe2\x80\x9d In addition, the CAP updates\n           have not resulted in resolution of outstanding financial statement audit\n           recommendations that have been reported since 2009. The FEC continuously\n           fails to meet implementation due dates, and to adequately monitor and resolve\n           outstanding audit recommendations. Failure to adequately plan and develop\n           useful and achievable corrective actions, results in repeat audit findings being\n           reported for several years. For example, concerning the periodic\n           recertification of users\xe2\x80\x99 access authorities, FEC has not yet implemented this\n           recommendation even though the agency agreed with the recommendation in\n\n\n\nLeon Snead & Company, P.C.                     24\n\x0c           their response to the 2009 financial statement audit. We continue to believe\n           that this recommendation should be implemented.\n\n       28. Modify key officials\xe2\x80\x99 position descriptions and rating elements to include, as a\n           critical element, the timely completion of corrective action plans.\n\n           Agency Response\n           The Deputy CIO for Operations advised that the OCIO disagrees with this\n           recommendation. Completion of CAP\'s is not appropriate for inclusion into a\n           key official\'s position description and is not a critical element.\n\n           Auditor\xe2\x80\x99s Comments\n           We have identified a significant number of problems that remained\n           uncorrected, in many cases since 2009. In addition, the OIG\xe2\x80\x99s report, Review\n           of Outstanding Audit Recommendations, dated June 2012, reported issues with\n           timely completion of corrective actions.\n\n           We disagree that it is not appropriate for timely completion of agreed upon\n           corrective actions to be included as a rating element for applicable FEC\n           officials. As OMB Circular A-50, Audit Followup, provides, \xe2\x80\x9cAudit followup\n           is an integral part of good management, and is a shared responsibility of\n           agency management, officials, and auditors. Corrective action taken by\n           management on resolved findings and recommendations is essential to\n           improving the effectiveness and efficiency of Government operations.\xe2\x80\x9d\n           Because of the problems noted, we continue to believe that this\n           recommendation should be implemented.\n\n       29. Develop a tracking process that would include monthly reports to the CIO,\n           highlight key tasks that may or have miss(ed) target dates, and assign one key\n           OCIO official as responsible for monitoring OCIO corrective action plans.\n\n           Agency Response\n           The Deputy CIO for Operations advised that the OCIO agrees in part with this\n           recommendation. OCIO will review CAP\'s on a monthly basis at the weekly\n           OCIO management meetings.\n\n           Auditor\xe2\x80\x99s Comments\n           The issues included in this report support that this recommendation should be\n           fully implemented by FEC.\n\n   I. Testing and Exercise FEC\xe2\x80\x99s COOP\n\n       During fiscal year 2011, FEC completed most of the last phase of its multi-year\n       plan to implement a Continuity of Operations Plan (COOP) document. However,\n       FEC has not yet fully tested and exercised the COOP \xe2\x80\x93 a critical element in\n       development of a comprehensive and effective plan. FEC\xe2\x80\x99s planning documents\n\n\n\nLeon Snead & Company, P.C.                     25\n\x0c        showed the agency was to have completed necessary testing and exercise by July\n        2011. FEC officials advised that the delay was due to the illness of a key project\n        team member, and that completion of testing was deferred until approximately the\n        beginning of calendar year 2012. As of September 2012, testing has not been\n        completed.\n\n        At the beginning of our 2012 audit, we requested documentation from FEC\n        officials to enable us to determine whether the FEC COOP had been appropriately\n        tested, and whether the tests and related documentation met FEC\xe2\x80\x99s policies and\n        Federal Continuity Directive No. 1 requirements for testing. We were initially\n        advised by OCIO personnel that no documentation was available related to COOP\n        testing. Subsequently, some FEC COOP test planning and related documents\n        were located and provided. We were unable to determine from these documents\n        whether FEC met either its own testing requirements, or the federal requirements\n        that are applicable to the agency.\n\n        The table below lists key federal requirements, and whether documentation\n        provided enabled us to conclude whether FEC was in substantial compliance with\n        these requirements.\n\n                 FCD 11 No. 1, Appendix K                                Auditor\xe2\x80\x99s Comments\n         Annual testing of alert, notification, and             No documentation provided to show that\n         activation procedures for continuity personnel         this requirement was met.\n         and quarterly testing of such procedures for\n         continuity personnel at agency headquarters.\n         Annual testing of plans for recovering vital           Some documentation was provided to show\n         records (both sensitive and non-sensitive), critical   that critical information systems were tested.\n         information systems, services, and data.\n         Annual testing of primary and backup                   No documentation provided to show that\n         infrastructure systems and services (e.g., power,      this requirement was met.\n         water, fuel) at alternate facilities.\n         Annual testing and exercising of required              No documentation provided to show that\n         physical security capabilities at alternate            this requirement was met.\n         facilities.\n         Testing and validating equipment to ensure the         No documentation provided to show that\n         internal and external interoperability and viability   this requirement was met.\n         of communications systems, through monthly\n         testing of the continuity communications\n         capabilities.\n         An annual opportunity for continuity personnel         No documentation provided to show that\n         to demonstrate their familiarity with continuity       this requirement was met.\n         plans and procedures and to demonstrate the\n         agency\xe2\x80\x99s capability to continue its essential\n         functions.\n\n\n11\n   Federal Continuity Directive (FCD) No.1, Federal Executive Branch National Continuity Program,\nAppendix K, Test, Training and Exercise, was issued by the Department of Homeland Security to guide\nfederal agencies in the development of COOP documents.\n\n\n\nLeon Snead & Company, P.C.                              26\n\x0c                FCD 11 No. 1, Appendix K                             Auditor\xe2\x80\x99s Comments\n        An annual exercise that incorporates the             No documentation provided to show that\n        deliberate and preplanned movement of                this requirement was met.\n        continuity personnel to an alternate facility or\n        location.\n        An opportunity to demonstrate that backup data       Some records were available to show some\n        and records required supporting essential            aspects of this requirement were tested.\n        functions at alternate facilities or locations are\n        sufficient, complete, and current.\n\n       Because the documentation provided was insufficient to support that FEC met\n       these federal requirements or addressed the issues reported in our 2011 audit\n       report, this problem remains open and requires further review and corrective\n       action by FEC personnel.\n\n       Recommendations\n\n       30. Ensure that sufficient resources are assigned to timely complete the testing of\n           FEC\xe2\x80\x99s COOP in order to reduce risk to the FEC.\n\n           Agency Response\n           The Deputy CIO for Operations advised that the OCIO agrees with this\n           recommendation. In accordance with Annex A of HSPD 20, the FEC is a\n           category 4 agency. The agency COOP is sufficiently tailored to appropriate\n           level of preparedness for a Cat 4 agency. The COOP is more aptly aimed at\n           providing guidance for continuity after an incident at a local agency level,\n           affecting only this agency. The testing completed and documented and results\n           provided as a PBC item.\n\n       31. Ensure that appropriate documentation is retained as required by FCD No. 1\n           to support that FEC has met all applicable federal testing requirements.\n\n           Agency Response\n           The Deputy CIO for Operations advised that the OCIO agrees with this\n           recommendation. The FEC has met all TT&E requirements for a category 4\n           agency in accordance with internal IT policies and directives. Management\n           deems that policies and testing of those policies, directives, COOP and DR\n           plans are commensurate with the risk analysis appropriate for this agency.\n\n       32. Develop a detailed POA&M to ensure that required COOP testing and\n           exercises are completed as soon as possible.\n\n           Agency Response\n           The Deputy CIO for Operations advised that the OCIO disagrees with this\n           recommendation and the OCIO believes the COOP testing is complete and\n           CAP submitted as a PBC.\n\n\n\n\nLeon Snead & Company, P.C.                            27\n\x0c           Auditor\xe2\x80\x99s Comments (Recommendations 30 through 32)\n           Documentation provided by FEC was analyzed and did not meet federal\n           requirements. Therefore, we continue to believe that the recommendations\n           should be implemented by FEC.\n\nCOMPLIANCE WITH LAWS AND REGULATIONS\n\nThe results of our tests of compliance with certain provisions of laws and regulations, as\ndescribed in the Responsibilities section of this report, disclosed no instance of\nnoncompliance with laws and regulations that is required to be reported under\nGovernment Auditing Standards and OMB Bulletin 07-04, (as amended).\n\nAGENCY RESPONSE AND AUDITOR COMMENTS\n\nFEC management responded to the draft report in a memorandum dated November 9,\n2012, which indicated that the agency responses to each recommendation are included in\nthe body of this report. We have included their comments and our response after each\nrecommendation. FEC also noted in their response that they believe \xe2\x80\x9cthat such an\nextensive IT concentrated audit is perhaps not appropriate\xe2\x80\x9d as part of the financial\nstatement audit.\n\nAs we have previously discussed with FEC officials, Government Auditing Standards\nrequire us to perform testing of agency IT systems that could have a direct and material\neffect on the audited agency\xe2\x80\x99s financial controls and/or financial statement presentation,\nor disclosures. Therefore, we continue to believe our audit testing of IT controls was\nappropriate.\n\nThe FEC\xe2\x80\x99s written response to the significant deficiency identified in our audit was not\nsubjected to the auditing procedures applied in the audit of the financial statements and\naccordingly, we express no opinion on it.\n\nDISTRIBUTION\n\nThis report is intended solely for the information and use of the management, the FEC\nBoard, the Office of Inspector General, and others within the FEC, OMB, and Congress,\nand is not intended to be and should not be used by anyone other than these specified\nparties.\n\n\nLeon Snead & Company, P.C.\nNovember 14, 2012\n\n\n\n\nLeon Snead & Company, P.C.                     28\n\x0c                                                                             Chart on FEC\xe2\x80\x99s Corrective Actions                                                               Attachment 1\n\n\n\n\n    Audit                 Finding                       Recommendation                           FEC Responses 12                        Background Information/Current Status\n   Reports\n2008-2012         Configuration                Ensure that FEC baseline                    FEC generally agreed to               Remains open. First reported in our 2009 audit report.\nFEC Financial     Management                   configuration  standards   are              implement recommendations             We found in our 2012 audit that according to FEC\nStatement         FDCC/USGCB                   implemented in accordance with              in its response to our 2009           scans, the agency has implemented a large percentage of\nAudit Reports                                  FDCC requirements for all                   audit.                                FDCC requirements. However, several key controls that\n                                               workstations.                                                                     would be easily implemented have not been\n                                                                                                                                 implemented by FEC relating to password strength and\n                                                                                                                                 related areas. Also, the FDCC and USGCB contain\n                                                                                                                                 control settings for Internet Explorer. We were advised\n                                                                                                                                 that FEC does not scan for these settings.\n                                               Perform periodic assessments of             FEC generally agreed to               Remains open. First reported in our 2010 audit report.\n                                               baseline configuration settings as          implement recommendations             We found in our 2012 audit that the problems remain\n                                               part of FEC\xe2\x80\x99s continuous                    in its response to our 2010           essentially the same as we reported in 2010.\n                                               monitoring program.                         audit.\n                  Vulnerability                Include all components of the               FEC generally agreed to               Remains open. First reported in our 2009 audit report.\n                  Scanning                     general support system, including           implement recommendations             We found in our 2012 audit that the problems remain\n                                               workstations,         into       the        in its response to our 2009           essentially the same as we reported in 2009. FEC\n                                               organization\xe2\x80\x99s         vulnerability        audit. However, FEC added             officials advised us that they have recently completed\n                                               scanning process to ensure that             that the agency needed to             scanning of the FEC\xe2\x80\x99s network. However, we have not\n                                               the general support system, in its          implement portions of FDCC            reviewed the scanning process or the scanning reports.\n                                               entirety, is periodically assessed.         it agreed to adopt prior to\n                                                                                           implementing            this\n                                                                                           recommendation.\n\n\n\n\n   12\n     FEC responses are briefly summarized for presentation. Where FEC disagreed with a recommendation, or significant portions of a recommendation, we show that information. However, when in our\n   opinion, the FEC response is in general agreement with the recommendations we did not include minor points.\n\n\n\n\n   Leon Snead & Company, P.C.                                                                     29\n\x0c                                                                           Chart on FEC\xe2\x80\x99s Corrective Actions                                                               Attachment 1\n\n\n\n\n Audit                  Finding                       Recommendation                           FEC Responses 13                        Background Information/Current Status\nReports\n                Personnel   Security         Implement additional controls to            FEC generally agreed to               Remains open. Issue first reported in 2008 audit report.\n                and Access Controls          ensure that former employees\xe2\x80\x99               implement recommendations             While we found improvements in this control from the\n                                             access to the network is                    in its response to our 2009           significant problems noted in our 2011 audit, we noted\n                                             terminated in accordance with               audit.                                that one sampled individual was removed untimely, and\n                                             FEC policies.                                                                     five separated contractor employees were listed in the\n                                                                                                                               FEC System Access (FSA) system as active users\n                                                                                                                               indicating weaknesses in the agency\xe2\x80\x99s main application\n                                                                                                                               for tracking employees/contractors network access.\n                                             Assure sufficient resources are             FEC in its response generally         Remains open. First reported in our 2009 audit report.\n                                             provided to complete the project            agreed to implement the               We found in our 2012 audit that the problems remain\n                                             dealing with the establishment of           recommendations in this area          essentially the same as we reported in 2009.\n                                             processes to enable periodic                in our 2009 audit report.\n                                             review      of   users\xe2\x80\x99    access\n                                             authorities.\n                Security     Awareness       Revise FEC procedures to require            First reported in our 2010            Remains open. Completion of the security awareness\n                Training                     that all new personnel and                  audit report. Management              training was delayed until after our scheduled field work\n                                             contractors take the security               partially     agreed      with        completion date, and was not tested during this year\xe2\x80\x99s\n                                             awareness      training,    and             recommendations,          and         audit. Security awareness training was included as a\n                                             acknowledge rules of behavior               provided alternative process.         problem area in our 2011 audit report.\n                                             prior to being granted access to            We agreed to this alternative\n                                             FEC systems.                                process as a way of\n                                                                                         remediating the issue.\n                COOP Development             Multiple recommendations were               FEC management concurred              Remains open.             Over the five years, FEC has\n                and Testing                  made on this area since our 2009            with our recommendation               developed the COOP and implemented portions of a\n                                             audit report, and it was reported           that the COOP be completed            testing, training, and exercise (TTE) program required\n                                             in the predecessor auditor\xe2\x80\x99s 2008           and fully tested by the end of        by FCD No. 1, Appendix K. However, documentation\n                                             audit report.                               2010 calendar year.                   of test plans, test results, and analysis of test results was\n                                                                                                                               not sufficient to enable us to conclude that FEC met the\n                                                                                                                               federal requirements for TTE of its COOP.\n\n\n\n 13\n   FEC responses are briefly summarized for presentation. Where FEC disagreed with a recommendation, or significant portions of a recommendation, we show that information. However, when in our\n opinion, the FEC response is in general agreement with the recommendations we did not include minor points.\n\n\n\n\n Leon Snead & Company, P.C.                                                                     30\n\x0c                                                                                          Attachment 2\n\n\n                             Status of Prior Year Recommendations\n\n\nRec.                         Recommendation                                          Status As of\nNo.                                                                               September 30, 2012\n1.     Continue to work with NFC and GSA so that the two service              Recommendation closed.\n       provider\xe2\x80\x99s systems can be interfaced according to the current\n       timeline.\n\n2.     Develop a time-phased corrective action plan to convert the            Recommendation closed.\n       manual accounts receivable process to an automated and integrated\n       system.\n\n3.     Implement baseline configuration standards for all workstations        Recommendation open.\n       and require documentation and approval of any deviations from\n       this standard.\n\n4.     Fully implement USGCB/FDCC standards.                                  Recommendation open.\n5.     Implement logging of configuration changes to ensure that all          Recommendation open.\n       system changes are processed through the change management\n       framework.\n\n6.     Include all components of the general support system, including        Recommendation open.\n       workstations, into the organization\xe2\x80\x99s vulnerability scanning\n       process.\n\n7.     Implement procedures to ensure that scan results are subject to a      Recommendation open.\n       \xe2\x80\x9croot cause\xe2\x80\x9d analysis to ensure that problems are fully resolved.\n\n8.     Develop a process to ensure that vulnerabilities identified through    Recommendation open.\n       scanning are documented in a corrective action plan, and\n       monitored to ensure timely remediation.\n9.     Establish and publish a policy that requires annual recertification    Recommendation open.\n       of users\xe2\x80\x99 access authorities.\n\n10.    Assure sufficient resources are provided to the document and           Recommendation closed.     This\n       records management system (Livelink) so that it can be completed       recommendation was rolled into\n       no later than June 2012.                                               Recommendation 9 since LiveLink\n                                                                              is no longer being used for this\n                                                                              purpose.\n\n11.    Validate all active users to assure that only individuals who are      Recommendation open.\n       currently and properly authorized have access to FEC\xe2\x80\x99s\n       information and information systems.\n\n12.    Analyze the reasons separated personnel retained access to FEC         Recommendation open.\n       systems, and develop additional controls to ensure that FEC timely\n       removes access for individuals who leave the agency.\n\n13.    Establish controls that would automatically suspend an                 Recommendation open.\n       individual\xe2\x80\x99s network access if security awareness training is not\n       completed within required timeframes.\n\n14.    Ensure all personnel and contractors that have not yet taken the       Recommendation open.\n       security awareness training complete it within the next 30 days.\n\n15.    Ensure that sufficient resources are assigned to the task of testing   Recommendation open.\n       the COOP in order to reduce the risks to FEC operations.\n\n\n\n\n Leon Snead & Company, P.C.                          31\n\x0c                                                                                          Attachment 2\n\n\nRec.                         Recommendation                                          Status As of\nNo.                                                                               September 30, 2012\n16.    Develop specific control processes and issue operational policies      Recommendation closed.\n       that establish automated control procedures to ensure that FEC\n       uses software and associated documentation in accordance with\n       contract agreements and copyright laws.\n17.    Restrict network folders & subfolders containing copyright             Recommendation closed.\n       applications and software to only authorized users based on the\n       operational policies developed and implemented.\n18.    Review all folders and files on the \xe2\x80\x9cuserinstall\xe2\x80\x9d network folder,      Recommendation closed.\n       and remove all applications and data that are not current, or do not\n       meet the specific operational purposes of this folder.\n\n19.    Formally adopt the NIST IT security controls established in FIPS       Recommendation open.\n       200, Minimum Security Requirements for Federal Information and\n       Information Systems, and SP 800-53, Recommended Security\n       Controls for Federal Systems and Organizations.\n\n20.    Require FEC contractors to adhere to the FAR related IT controls       Recommendation open.\n       when providing services to the FEC to ensure sufficient controls\n       are in place to meet best practices.\n\n\n\n\n Leon Snead & Company, P.C.                          32\n\x0c\x0c                                 Federal Election Commission\n                         Fiscal Year 2012 Financial Statement Audit\n                          Management Responses to Audit Findings\n\n\n\nThe Federal Election Commission has made significant strides in addressing findings and\nrecommendations that arise through the annual financial statement audit. In FY 2012, the FEC\nfully resolved the significant deficiency related to internal controls over financial reporting and\ncontinues to address Information Technology (IT) security control needs identified that relate to\nInformation Technology policies, practices and procedures. The Federal Election Commission\xe2\x80\x99s\nresponses to the FY 2012 audit findings were provided in the draft document sent by the Office\nof the Inspector General on November 6, 2012.\n\nThe agency maintains the highest level of commitment to its information technology security and\nsystems. Although the FEC is exempt from most of the requirements of the Federal Information\nSecurity Management Act (FISMA), the agency still incorporates many of FISMA\xe2\x80\x99s best\npractices. The FEC has in place directives and a corrective action plan that is reviewed twice a\nyear to mitigate potential risk factors. The agency\xe2\x80\x99s financial management systems are provided\nby NFC and GSA under shared service agreements. The FEC receives and relies upon SSAE 16\naudit reports to obtain assurance over financial applications provided by GSA and NFC.\n\nThe FEC has established 34 policies, 18 standards and 8 procedures to govern and define the\nagency\xe2\x80\x99s IT security program, following the guidance published by the National Institute of\nStandards and Technology (NIST), although the agency is exempt from many of those\nrequirements. The FEC has concurred with a number of the recommendations provided by the\naudit, and will continue to implement those recommendations where economically and\ntechnically feasible and where such actions fit within the management framework of the agency.\nWhile the FEC requests budget funds to comply with applicable IT control standards, the FEC\ndoes not find it feasible to request additional funding to adopt FISMA requirements that\nCongress has exempted this agency from adhering to. The Office of the Chief Information\nOfficer has incorporated many industry \xe2\x80\x9cbest practices\xe2\x80\x9d in establishing the FEC\xe2\x80\x99s IT security and\nmonitoring program.\n\nA large portion of the findings and recommendations stemming from the Financial Statements\nAudit are concerned with the agency\xe2\x80\x99s Continuity of Operations Plan (COOP). The audit does\nnot identify the FEC\xe2\x80\x99s category rating in the continuity of government plans. The FEC is a\ncategory 4 agency in the continuity of government plans which translates to the lowest priority\nfor continuing agency operations in the event of a government-wide disruption of government\nservices. Therefore, the FEC\xe2\x80\x99s approach to the COOP centers on an event that would affect FEC\nagency operations only, and does not address events affecting the government as a whole. An\n\x0cexample of this would be if the FEC\xe2\x80\x99s building alone became unavailable for use due to a\nbuilding malfunction. This approach greatly reduces the scope of the COOP to FEC-specific\nmission functions. To further reduce the risk of FEC systems loss due to a building malfunction,\nthe agency has recently completed the data center consolidation project to close down its\ninternally operated data center and move it off-site to a certified contractor data center.\nTherefore, the FEC\xe2\x80\x99s COOP has been tailored to suffice in support of the agency\xe2\x80\x99s mission and\nresponsibility to the government as a whole, as well as within the availability of resources\n(budget and personnel) as approved through the budget process.\n\nManagement\xe2\x80\x99s responses to each individual IT finding are contained within this report, with an\nexplanation as to why the FEC may not agree with the finding. It is also noted that such an\nextensive IT concentrated audit is perhaps not appropriate under the guise of a Financial\nStatement Audit, and may dilute the objective of the audit.\n\x0c                         Federal Election Commission\n                           Office of Inspector General\n\n\n\n\n    Fraud Hotline\n    202-694-1015\n\n\n\n\n      or toll free at 1-800-424-9530 (press 0; then dial 1015)\n      Fax us at 202-501-8134 or e-mail us at oig@fec.gov\n      Visit or write to us at 999 E Street, N.W., Suite 940, Washington DC 20463\n\n\n\n\nIndividuals including FEC and FEC contractor employees are encouraged to alert the OIG to\nfraud, waste, abuse, and mismanagement of agency programs and operations. Individuals\nwho contact the OIG can remain anonymous. However, persons who report allegations are encouraged\nto provide their contact information in the event additional questions arise as the OIG evaluates the\nallegations. Allegations with limited details or merit may be held in abeyance until further specific details\nare reported or obtained. Pursuant to the Inspector General Act of 1978, as amended, the Inspector\nGeneral will not disclose the identity of an individual who provides information without the consent of that\nindividual, unless the Inspector General determines that such disclosure is unavoidable during the course\nof an investigation. To learn more about the OIG, visit our Website at: http://www.fec.gov/fecig/fecig.shtml\n\n                            Together we can make a difference.\n\x0c'